Researchers Use Bluetooth to Stop Engine of Moving Car
Security researchers have identified issues in the Bosch on-board diagnostics (OBD) dongle and associated mobile app that would allow an attacker to stop the engine of a moving vehicle. They also reported the increased possibility that an attacker could send random instructions to physically affect the car and its passengers.
Bosch Drivelog, a car management platform that combines the Drivelog Connector (OBD-II dongle) and the Connect app for Android and iOS, offers a simple way to understand warning flags or error codes displayed by the car. The app connects to the dongle via Bluetooth using the just-works authentication mechanism and offers details about the duration of a drive, speed, distance covered and fuel consumption.
Researchers from Argus, an automotive-focused cyber security company, analyzed the Drivelog Connector and found its message filtering protection against incorrect diagnostics did not extend to all received messages, and that it covered only a small subset of diagnostic data. An attacker communicating with the dongle could push malicious messages into the CAN (controller area network) bus, which facilitates communication between microcontrollers in the car tasked with controlling the brakes, suspension, speed and steering of the vehicle, among other functions.
A second vulnerability was discovered in the pairing process between the dongle and the mobile app. Researchers found that, although the traffic exchange was encrypted, Drivelog Connector leaked enough information during the initial handshake for an attacker to figure out the pairing PIN through offline brute-forcing. Public benchmarks revealed that a modern laptop could find the eight-digit PIN in about 30 minutes.
Argus disclosed the vulnerabilities to Bosch before making them public to give the manufacturer time to come up with a solution. Although the implications are unsettling, taking advantage of these flaws requires strong technical skills. Furthermore, the possibility of a real-life attack is limited by the proximity to the Drivelog Connector, which is given by the Bluetooth range (about 100 meters, without interference).
Bosch has taken precautions to prevent tampering with cars that have a Drivelog Connector by implementing two-step verification for additional users trying to connect to it. Having done this, the message filtering issue is much tougher to exploit at the moment, and will be addressed in a future firmware update, a security advisory from Bosch informs.
The entire Drivelog platform was built with security in mind, but this does not mean it’s bulletproof against hacking. In reality, it’s only more difficult to break, and the effort required to succeed discourages many attackers.
Photo credit: BoschBosch car dongle car hacking Driverlog